These changes will give people more control over their personal data and make it easier to access it. They are designed to make sure that personal information is protected - no matter where it is sent, processed or stored - even outside the European Union, as is the case on the Internet.

What Is Personal Data?

Personal data is defined as any information relating to an identified or identifiable person. A person is considered identifiable if he can be directly or indirectly identified.

This is already the case when an identifier is used. Examples of identifiers are: a name, an identification number, a person’s location data, or an IP address. Moreover, a person is also identifiable if one or more facts are gathered that are characteristic of his physical, physiological, genetic, mental, economic, cultural, or social identity.

In fact, it does not take much at all for data to be considered personal data. Unintended or deliberate combinations of items of non-identifiable data may cause the data to become identifiable.

The rules and obligations of the GDPR apply as soon as data begins being processed. The GDPR defines processing as performing any action or set of actions on data, automated or otherwise. Some examples include recording, structuring, or even destroying data. In other words, whenever you handle personal data, the GDPR applies.

Strong Enforcement of the Rules

Each organization is obligated to demonstrate their compliance in a number of ways. They must prove staff have undergone proper training. Organizations also need to remember that personal data is not only customers' and clients' data but also their employees' personal data. Anyone who anonymizes data is still bound by the law, because they have access to the data in the first place.
After May 25, 2018, organizations will be held responsible for any violations. Failure to comply can lead to severe penalties of either up to 4% of the company's annual global turnover or 20 million Euro.
This is the maximum fine that can be imposed for the most serious infringements. There is a tiered approach to fines. A company can be fined 2% for not having their records in order, or not notifying the supervising authority and impacted person about a breach. Failure to conduct an assessment is also liable for the same fine.
Relevant for Everyone who Trades with EU Countries
The GDPR applies to all companies processing the personal data of individuals residing in the European Union. This is regardless of the company’s location. Exceptions are made for processing that falls outside the scope of European legislation or when personal data is processed by competent authorities in order to fight crime. Furthermore, the regulation does not apply in the event that a person has died.

The GDPR is Based on 6 Principles

The principles of the GDPR are focused on the privacy rights of every individual when it comes to collecting and processing their data:

1. Lawfulness, Fairness, and Transparency: This principle dictates that personal data needs to be processed in a way that is lawful to the subject.

2. Purpose Limitation: The data processors can only use the data for the objectives they’ve explicitly described and justified.

3. Data Minimization: The information that is required must be relevant to its purpose and limited to what is necessary.

4. Truth and Accuracy: If some of the data is inaccurate, it should be removed or rectified.

5. Storage Limitation: Data is kept in a form which permits identification of persons for no longer than is necessary.

6. Integrity and Confidentiality: All required measures must be taken to ensure all personal data is protected.

6 PRIVACY RIGHTS

The number of rights assigned to individuals has been extended under the GDPR. These include:

1. The right of a person to be informed when personal data relating to him is gathered.

2. The right of inspection.

3. The right to obtain the erasure of personal data (the right to be forgotten).

4. The right to processing restrictions.

5. A person's right to have his data transferred to other data processors.

6. The right not to be subject to a decision based solely on automated processing, including profiling.

Any breach of these rights qualifies for sanctions. It is therefore essential to set up procedures for complying with these principles and rights. You must be able to demonstrate these procedures.

The Right to be Forgotten

The previously mentioned 'right to be forgotten' needs some clarification. When an individual no longer wants his data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted.

It should be clear, this is about protecting the privacy of the individual, not about erasing past events or restricting freedom of the press. Freedom of expression, as well as historical and scientific research are safeguarded.

International Organizations: These Rules Apply

International organizations need to take notice. Personal data is only to be transferred to a third-country if an adequate level of protection is ensured. Third countries should be governed according to the rule of law, and respect human rights and fundamental freedoms. Moreover, transfers are subject to appropriate safeguards.

The GDPR also brings some new obligations to controllers. The regulation describes a controller as 'a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means for the processing of personal data'. Controllers are obliged to keep a record of the following data:

1. The name and contact details of the controller and of the data processing officer appointed by the controller, as well as the processor, if applicable.

2. The processing objectives.

3. A description of the categories of personal data.

4. The categories of recipients to whom personal data has been or will be supplied, including when these are international organizations or located in third countries.

5. The third country or international organization to which the controller transferred personal data and the documents concerning appropriate safeguards for governance.

6. The envisaged periods of time within which the different categories of personal data must be deleted.

7. A general description of the technical and organizational security measures.

Controllers are not the only ones who are obliged to keep these records. People who support controllers' tasks, like IT professionals for example, need to oblige too.

The GDPR Cites 'Privacy by Design' and by 'Default'

The GDPR explicitly cites the concepts 'privacy by design' and 'privacy by default'. The controller is obliged to implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose are processed. That obligation applies to the amount of personal data collected, the extent of the processing, the period of storage, and accessibility. Such measures must ensure that personal data are not made accessible to an indefinite number of people, without the individual’s intervention.